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Qualys celebrates 20 years 
by doing what it has always 
done: adapt 


MARCH 13 2019 
By Patrick Daly, Scott Crawford 


After two decades in business, Qualys shows no signs of slowing its efforts to update its product portfolio with a 
slew of new products and acquisitions announced over the last year. 
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Summary 


Over the last year, Qualys announced several new applications for its cloud-based platform that will help the 
company support changing dynamics in enterprise IT and made three strategic acquisitions to strengthen its 
existing capabilities. While the company’s core offerings are well established in the market, recent additions 

such as the Qualys Global IT Asset Inventory demonstrate an ongoing need for organizations to get a handle on 
security basics, which suggests the upside that continues to drive Qualys’ value proposition to consolidate all of 
an organization’s vulnerability and compliance information into a single dashboard. As enterprise IT environments 
continue to become increasingly complex, this value proposition could become even more compelling. 


451 TAKE 


Qualys’ product announcements over the last year reinforce the company’s commitment to solving 
an enterprise’s most tangible pain points in vulnerability and risk management. What still remains 
to be seen is how much traction each of its latest offerings will gain in a progressively crowded 
marketplace, especially as cloud providers take on a growing share of vulnerability management 
functionality for their own environments. Qualys’ value proposition is still strong, however, in its 
ability to provide a single view into an enterprise’s environment across multiple cloud providers 
and on-premises. The company faces challenges from entrants that seek to capitalize on ways to 
help organizations better prioritize and remediate vulnerabilities, a long-standing challenge to 
basic security assurance. Qualys’ introduction of a global asset inventory and a patch management 
application could further strengthen its position, however, by helping organizations to better 
close the loop on vulnerability management processes, allowing customers to discover, assess and 
remediate all of their vulnerabilities and ensure regulatory compliance from a single dashboard. 


Context 


Qualys’ goal has long been for its platform to be a one-stop shop for all enterprises’ vulnerability and risk 
management needs. However, the nature of those vulnerabilities continues to change in tandem with the 
evolution of enterprise IT. These include new software paradigms, namely the increased adoption of non- 
Windows operating systems and open source software components in the enterprise; new network architectures, 
specifically the influence of cloud infrastructure and hybrid environments; new application delivery models like 
SaaS and containers; and the proliferation of unmanaged BYOD and loT devices. 


Fortunately, Qualys has a history that helps it keep up with the rapid pace of IT innovation. The company 
pioneered security functionality delivered ‘as a service’ at a time when many in the industry questioned whether 
enterprises would trust their sensitive vulnerabilities to a third-party provider - a move that has since proved 
prescient. Qualys built its SaaS platform to be highly modular, enabling it to easily add new applications 

to consolidate security management functionality. These decisions gave the company a head start on the 
vulnerability management market and continue to support its ability to expand its portfolio at a rapid pace 
through both organic and inorganic means. Over the last year, Qualys has made a slew of announcements that 
demonstrate its commitment to innovating alongside the evolving IT landscape, including: 


= Three acquisitions since the start of 2018 
= A global IT asset Inventory application 

= A container security application 

= A patch management application 


Consolidated management of cloud asset vulnerabilities (CloudView) 
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Products 


The Qualys Cloud Platform provides enterprise security and IT teams with a consolidated view of vulnerabilities 
across the IT environment. The company’s most recent product announcements, including the launch of Qualys 
Global IT Asset Inventory, CloudView, container security (CS) and patch management (PM), expand upon these 
capabilities by adding support for new technologies and simplifying the management of vulnerabilities and risk 
across complex, hybrid environments. 


Qualys Global IT Asset Inventory discovers and inventories an enterprise's IT assets through a combination of 
Qualys agents, network scanners and passive network sensors, enabling the company to capture data from 
managed and unmanaged devices alike. The use of passive network sensors is critical to discovering unmanaged 
BYOD and loT devices that connect to the corporate network but historically have been invisible to IT teams. 
Asset information collected includes all of the active devices, servers and virtualized operating systems, whether 
on-premise, in the cloud or from mobile workforce. It maintains a software inventory across these environments, 
which enables enterprises to manage the full lifecycle, including the end-of-life process that determines when 
software needs to either be upgraded or replaced. 


Qualys CloudView consolidates inventory and security information from disparate cloud resources into a 

single dashboard, simplifying the process for IT teams and security practitioners to maintain their security and 
compliance postures across multi-cloud environments. There are two separate components to CloudView: 
cloud inventory and cloud security assessment. Cloud inventory identifies cloud resources in use and provides 
a view of how individual resources interact with one another. Cloud security assessment continuously monitors 
cloud assets to ensure compliance with regulations and industry standards, provides remediation instructions, 
prioritizes risks to expedite remediation and integrates with an enterprise's existing DevOps pipeline to funnel 
security assessments to an organization’s teams. 


Qualys CS launched at DockerCon 2018 to help enterprises discover and inventory container assets, providing 
visibility into all an enterprise’s container images, hosts, instances and security posture across hybrid and multi- 
cloud environments. With the acquisition of Layered Insight in November 2018, it added application runtime 
visibility and protection to Qualys CS across the entire container lifecycle. Information gathered and presented to 
users includes images, image registries, containers running and container hosts, as well as associated metadata 
for every image and container. Qualys CS identifies ‘rogue containers, container instances that have drifted from 
the original image and are exhibiting anomalous characteristics. All application-level activities are gathered from 
within each container and automatically converted into a behavior profile, which is then enforced as normal 
behavior on each running container. It also identifies vulnerable containers and images, pushing vulnerability 
data to development teams for remediation. The company announced at AWS re:Invent in November that it would 
be adding Qualys CS to the AWS Marketplace for containers, allowing Qualys customers to use the application 
directly within Amazon Elastic Compute service. 


Qualys’ most recent product release was the launch of Qualys PM, which brought remediation capabilities directly 
to the Qualys Cloud Platform for the first time in the company’s history. If a patch is available for vulnerabilities 
discovered during the scanning process, Qualys PM can map the vulnerability to all related patches and deploy 
them instantly across all affected assets. 


In addition, Qualys announced at its most recent user conference that it would be creating a data lake composed 
of information gathered across customer deployments. The company says that the data lake will act as the basis 
for an event management platform. 
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Acquisitions 


Qualys has been very acquisitive lately, purchasing three companies since the start of 2018. The most recent buy 
was the February pickup of Adya, a cloud application management vendor that should provide customers with 
further visibility into the security and compliance status of their cloud applications. Qualys purchased Layered 
Insight in November 2018 and folded it into Qualys CS. It acquired mobile device management vendor 1Mobility 
in April 2018 to improve customers’ visibility into BYOD and loT devices. Qualys also bought a minority stake in 
API security vendor 42Crunch within the last year, the company’s first venture investment, which gives it a hand in 
mitigating APl-related security exposures, as well as latitude for further development in this direction. 


Competition 


In the broad vulnerability management sphere, Qualys competes primarily with Rapid7, Tenable, Tripwire and 
(primarily through managed services) Trustwave. It also competes with the penetration testing and network 
security services of the recently rebranded SecureAuth. All of these vendors feature vulnerability scanning, 
prioritization and remediation as part of their product portfolios and, like Qualys, have recently begun supporting 
container environments. 


In addition to these incumbents, a more recent class of vendor has emerged that focuses on improving upon 
the existing vulnerability management process with greater automation and orchestration of prioritization and 
remediation. Companies such as Kenna Security, NopSec, RiskSense and Vulcan Cyber fall into this category. 
However, while these vendors may compete with Qualys on the prioritization and remediation side, they aren't 
necessarily direct competitors. Many of these vendors consume the vulnerability data produced by vulnerability 
assessment tools, including Qualys, making them at least partly complementary offerings. 


A market has emerged for container-specific vulnerability management, and companies such as Aqua Security 
and Twistlock have formed to take advantage of the opportunity. These vendors are directly competitive with 
Qualys CS and have a head start on marketing and product development since they were all founded before 
Qualys launched CS earlier this year. An additional category of vendor is also beginning to emerge among those 
that offer container vulnerability management for developers such as Snyk, which competes more directly in 
the software composition analysis market. However, Qualys’ existing penetration and breadth gives the growing 
scope of its offerings a leg up against some of these more recent challengers. 
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SWOT Analysis 


STRENGTHS 


Qualys’ announcements over the last year 
reinforce the company's ability to support 
changing enterprise IT environments even as 
they grow in complexity. 


TIES THREATS 
at DELIG O Cloud-native security offerings are a 
prominent value-add for cloud providers. 
Their expansion into the various markets in 
which Qualys has a strong presence could 
threaten aspects of the company's business. 
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